As every experienced CSO understands all too well, security is a continuous exercise in evaluating and balancing a nexus of trade-offs between risk, cost, and user experience. This calculation becomes especially tricky when it comes to weighing the trade-offs between how to properly authenticate a user and do so without degrading their experience.
If you demand too much personal information from a new customer during the initial onboarding process to verify their identity (i.e., such as requiring a potential new user to send a photo of their driver’s license), you risk creating an onerous sign-up process and losing a potential customer. Ask too little, and you expose yourself to unnecessary risk, potential fraud, or a catastrophic data breach.
The stakes can be even higher for authenticating business users who typically log into a dozen or more cloud-based applications every day. Enterprise security policies often mandate employees to regularly update their passwords every 60 or 90 days to securely access critical system resources. Consequently, IT administrators spend a good portion of their day helping users recover their passwords, which is one of the reasons we have seen the broad adoption of Single Sign-On (SSO) applications and other commercial password management services.
So, where and how exactly should we be drawing the line between ensuring seamless user experiences without compromising the integrity of established security protocols?
Understanding the Risks of Single Points of Failure
A single point of failure typically refers to any part of a system that does not have redundancy and would therefore break down the entire system (e.g., relying on a single server set up to run a particular application). In the context of authentication, services such as password managers and social logins provide users with the convenience of creating and managing more secure passwords, yet they also represent a potential single point of failure in that if one is compromised, an attacker essentially has been granted the keys to the kingdom across all of your logins.
Compounding this issue is the fact that humans will always be the weakest link in the security chain. According to a survey conducted by the Harris Poll, 59% of people have reported using the same password across multiple sites. This chronic re-use of credentials makes all of their other accounts significantly more vulnerable because a breach anywhere can quickly cascade to numerous compromised accounts.
Since the typical enterprise has an average of 200 applications in use, it is easy to understand the appeal of SSO tools – like other unified systems that consolidate authentication credentials, SSOs are also balancing a tradeoff between hardened security and user convenience making them ripe for exploitation and abuse. This tactic was on full display during the sophisticated ‘PerSwaysion Campaign’, a hyper-targeted phishing attack on Office 365 users that succeeded in garnering the credentials of at least 150 executives by abusing Microsoft’s SSO feature.
Passwords Managers and Social Logins in the Crosshairs
It should come as little surprise that as we have demanded users to create complex and unique passwords for all of their various accounts, that a cottage industry of password and login management applications targeting both the consumer and enterprise markets would emerge. Password management applications and services such as 1Password, LastPass, and Roboform have exploded in popularity by offering a compelling value proposition to both users and security managers – yet the convenience they offer comes with a price.
Social logins such as those offered by Facebook, YouTube, and dozens of other known social brands are another example of using an established account as a trust factor to authenticate users.
While password management apps do enable users to improve their password hygiene and limit the recycling of one password across many sites, they also provide a high-value target for threat actors who are employing both targeted campaigns at the user level as well as seeking to exploit vulnerabilities in the applications themselves.
In July 2020, online password management provider LastPass issued a warning to users that cybercriminals were employing targeted spear-phishing campaigns in order to gain access to a user’s master password. In March 2020, security researchers at the University of York provided a proof of concept for a series of persistent vulnerabilities that exploit Android and Chrome extensions in the five most widely used password managers.
Social logins such as those offered by Facebook, YouTube, and dozens of other known social brands are another example of using an established account as a trust factor to authenticate users. Facebook’s login API is currently the most popular virtual proxy for identity allowing users to bypass the registration pages for participating third-party sites – an estimated 160,000 websites currently provide this option for registering new accounts.
This is clearly a trade-off that many internet users are more than happy to make, saving themselves the time and hassle of having to create a separate log-in and password and also enables users to limit the sharing of their personal information with additional sites. The flip side to this convenience is that despite the vast security resources at Facebook’s disposal, they are hardly immune from vulnerabilities and targeted attacks. Beyond the massive breach of 50 million profiles being compromised when access tokens were stolen in 2018, attackers are also deploying a number of sophisticated ‘pop-up’ phishing campaigns designed to harvest user credentials at scale.
Striking the Right Balance
While the death of the password has been heralded as being ‘just around the corner’ for the better part of the past two decades, the unfortunate truth is that they will likely continue to serve as the primary authentication method for consumers and business users for the near future. But this does not mean there aren’t practical steps security leaders cannot take in the meantime to mitigate these potential single points of failure. If you are not already doing so, consider adopting some of the following strategies:
- Embrace a Layered Approach to Security: Every point in the cyber kill chain represents an opportunity to layer additional resiliency into your network, allowing you to quickly fail-over to another system in the event of a disruption. While this seems like a fairly basic OpSec principle, many companies do not realize their potential exposure to a single point of failure until it is too late.
- Make Zero Trust a Guiding Principle: The foundation of a Zero Trust framework turns the old ‘trust but verify’ model on its head and instead requires that any device, individual, or resource that attempts to connect to the network must be authenticated before gaining access. A software-defined perimeter is the centralized mechanism by which this framework can be established and enforced and serve as another lever that security teams can have at their disposal to mitigate these types of risk factors.
- Use Multi-Factor Authentication (MFA) When Possible: An increasing number of applications and services are offering MFA options to users, allowing them to use a variety of different factors such as their phone, a security token device, or their location to verify their identity. However, just because these options are available does not mean users are turning them on so it is important that users are continuously educated as to their proper usage.
Trade-offs in cybersecurity are a fact of life for security leaders who will always have to determine the appropriate amount of risk they are willing to accept relative to the cost and the experience of their users. However, by taking the time now to understand the relative weight and value of these trade-offs, you will be in a far better position to recognize where those single points of failure lay and ensure they are fully resilient and secure.